The ransomware, which they've dubbed "KeRanger," first appeared March 4, disguised as an RTF document inside installers for a popular, open source BitTorrent client called Transmission, Palo Alto researchers Claud Xiao and Jin Chen write in a March 6 blog post. The malware requires users to allow it to be installed. But because the malicious "Transmission.app" was signed with a legitimate Apple developer certificate, the software wouldn't have tripped the Apple operating system's Gatekeeper defense, which by default prevents unsigned applications from being installed, the Palo Alto researchers say.

"We reported the issue to the Transmission Project and to Apple immediately after we identified it," the researchers add. "Apple has since revoked the abused certificate, and Gatekeeper will now block the malicious installers."

Apple has also added the ransomware signatures to XProtect, a basic OS X anti-malware feature, while the Transmission Project removed the Trojanized installers from its website March 5, the researchers add. They've also published technical instructions to help ascertain if a Mac is infected with the ransomware.

But anyone who downloaded and installed Transmission version 2.90 - either from the software's dedicated website or from third-party sites - is at risk and has just 72 hours to ensure that they have removed the software from their system, they say. That's because once it gets installed, the ransomware is set to begin encrypting all files - including Time Machine backups - after three days. It then demands 1 bitcoin - currently worth about $400 - in exchange for an encryption key to decrypt the files.

The Transmission Project, meanwhile, has pushed a new, ransomware-free version and warned all 2.90 users to upgrade. "Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the 'OSX.KeRanger.A' ransomware ... is correctly removed from your computer," according to an alert posted to its website. "Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file."

Refined Malware Attacks

Criminals have been continuing to refine their ransomware attacks, which enable them to automatically infect and extort large numbers of end users (see Refined Ransomware Streamlines Extortion). More recently, the number of targeted attacks - against organizations that criminals perceive to be more likely to pay larger ransoms - has also continued to increase (see Ransomware Hits Hospitals).

Brussels-based information security expert Xavier Mertens, who's a handler for SANS Institute's Internet Storm Center, says that the emergence of Mac ransomware isn't surprising. "[The] more a tool, a platform or an environment is popular, [the] more it will be targeted," he says in a blog post. "Those who still think that they are safe with their OS X environment are wrong."

As of early March 7, only 2 out of 54 anti-virus scanners were detecting the malware, according to the free malware-scanning service VirusTotal.

But KeRanger appears to be the first fully functional, native OS X ransomware, and Mertens emphasizes that it's designed to defeat built-in OS X security defenses because "the binary is signed with a legit developer certificate." He also warns that "it also attempts to encrypt Time Machine backups, which are very popular and used by most OS X users."

Recommendation: Offline Backups

Security experts have long recommended keeping offline backups as a defense against ransomware attacks.

To date, it's not clear how the KeRanger ransomware got added to a legitimate open source project, although the Palo Alto researchers suspect that attackers may have hacked into the project's website. "Transmission is an open source project," they say. "It's possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can't confirm how this infection occurred."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.